[PATCH] erofs-utils: mkfs: fix out-of-bounds memory access in mt-mkfs
Gao Xiang
xiang at kernel.org
Sun Mar 17 18:08:14 AEDT 2024
On Sun, Mar 17, 2024 at 02:45:09PM +0800, Yifan Zhao wrote:
> If a segment is smaller than the block size, sizeof(sctx->membuf) should
> be at least as large as the block size, as memory write into the buffer
> is done in block size.
>
> Signed-off-by: Yifan Zhao <zhaoyifan at sjtu.edu.cn>
> ---
Folded the following diff into the original patch:
diff --git a/lib/compress.c b/lib/compress.c
index aeb7013..8d88dd1 100644
--- a/lib/compress.c
+++ b/lib/compress.c
@@ -1096,11 +1096,11 @@ void z_erofs_mt_workfn(struct erofs_work *work, void *tlsp)
struct erofs_compress_work *cwork = (struct erofs_compress_work *)work;
struct erofs_compress_wq_tls *tls = tlsp;
struct z_erofs_compress_sctx *sctx = &cwork->ctx;
+ struct erofs_sb_info *sbi = sctx->ictx->inode->sbi;
int ret = 0;
- ret = z_erofs_mt_wq_tls_init_compr(sctx->ictx->inode->sbi, tls,
- cwork->alg_id, cwork->alg_name,
- cwork->comp_level,
+ ret = z_erofs_mt_wq_tls_init_compr(sbi, tls, cwork->alg_id,
+ cwork->alg_name, cwork->comp_level,
cwork->dict_size);
if (ret)
goto out;
@@ -1109,7 +1109,7 @@ void z_erofs_mt_workfn(struct erofs_work *work, void *tlsp)
sctx->destbuf = tls->destbuf;
sctx->chandle = &tls->ccfg[cwork->alg_id].handle;
- sctx->membuf = malloc(sctx->remaining);
+ sctx->membuf = malloc(round_up(sctx->remaining, erofs_blksiz(sbi)));
if (!sctx->membuf) {
ret = -ENOMEM;
goto out;
--
2.30.2
More information about the Linux-erofs
mailing list